[
https://issues.apache.org/jira/browse/HIVE-14372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15450614#comment-15450614
]
Junjie Chen commented on HIVE-14372:
------------------------------------
Hi Vihang Karajgaonkar
I can reproduce case 1 and case 2, but cannot reproduce case 3. Can you run
klist -k <keytab> to check whether you added server hostname to some principle?
Or could you please dump klist -k <keytab>?
Furthermore, if would be better if you can set beeline log level to debug and
paste output for case 1 and case 2.
> Odd behavior with Beeline parsing server principal in Kerberized environment
> ----------------------------------------------------------------------------
>
> Key: HIVE-14372
> URL: https://issues.apache.org/jira/browse/HIVE-14372
> Project: Hive
> Issue Type: Bug
> Components: Beeline
> Reporter: Vihang Karajgaonkar
> Assignee: Junjie Chen
>
> Case 1:
> I can replace the realm with any garbage realm, and it still works.
> {code}
> [root@c62-n3 ~]# beeline
> Beeline version 0.10.0-cdh4.2.0 by Apache Hive
> beeline> !connect
> jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.t...@abc.xyz
>
> scan complete in 4ms
> Connecting to
> jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.t...@abc.xyz
> Enter username for
> jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.t...@abc.xyz:
>
> Enter password for
> jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.t...@abc.xyz:
>
> Connected to: Hive (version 0.10.0)
> Driver: Hive (version 0.10.0-cdh4.2.0)
> Transaction isolation: TRANSACTION_REPEATABLE_READ
> 0: jdbc:hive2://c62-n3.intuit.test:10000/> show tables;
> -----------
> tab_name
> -----------
> t1
> t2
> test
> -----------
> 3 rows selected (1.749 seconds)
> 0: jdbc:hive2://c62-n3.intuit.test:10000/>
> {code}
> Case 2:
> I can keep the garbage realm, but if I use a different hostname (notice I've
> truncated it to c62-n3.intuit instead of c62-n3.intuit.test), it fails (as it
> should) but the error message is not at all user-friendly.
> {code}
> [root@c62-n3 ~]# beeline
> Beeline version 0.10.0-cdh4.2.0 by Apache Hive
> beeline> !connect
> jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC
> scan complete in 4ms
> Connecting to
> jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC
> Enter username for
> jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC:
> Enter password for
> jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC:
> 13/06/10 08:34:29 ERROR transport.TSaslTransport: SASL negotiation failure
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - UNKNOWN_SERVER)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
> at
> org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
> at
> org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
> at
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
> at
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1408)
> at
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
> at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
> at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96)
> at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
> at java.sql.DriverManager.getConnection(DriverManager.java:582)
> at java.sql.DriverManager.getConnection(DriverManager.java:185)
> at
> org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:152)
> at
> org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:193)
> at org.apache.hive.beeline.Commands.connect(Commands.java:965)
> at org.apache.hive.beeline.Commands.connect(Commands.java:896)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:66)
> at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:755)
> at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:631)
> at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:380)
> at org.apache.hive.beeline.BeeLine.main(BeeLine.java:364)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hadoop.util.RunJar.main(RunJar.java:208)
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Server not found in Kerberos database (7) - UNKNOWN_SERVER)
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
> ... 32 more
> Caused by: KrbException: Server not found in Kerberos database (7) -
> UNKNOWN_SERVER
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64)
> at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
> at
> sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
> at
> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
> at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
> ... 35 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
> at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
> at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
> ... 40 more
> org.apache.thrift.transport.TTransportException: GSS initiate failed
> at
> org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
> at
> org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
> at
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
> at
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1408)
> at
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
> at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
> at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96)
> at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
> at java.sql.DriverManager.getConnection(DriverManager.java:582)
> at java.sql.DriverManager.getConnection(DriverManager.java:185)
> at
> org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:152)
> at
> org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:193)
> at org.apache.hive.beeline.Commands.connect(Commands.java:965)
> at org.apache.hive.beeline.Commands.connect(Commands.java:896)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:66)
> at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:755)
> at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:631)
> at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:380)
> at org.apache.hive.beeline.BeeLine.main(BeeLine.java:364)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hadoop.util.RunJar.main(RunJar.java:208)
> Error: Invalid URL:
> jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC
> (state=08S01,code=0)
> {code}
> Case 3:
> If I truncate the hostname portion of the principal to the shortname
> (hive/c62-n3), it works. This should fail, since the principal 'hive/c62-n3'
> does not exist.
> {code}
> [root@c62-n3 ~]# beeline
> Beeline version 0.10.0-cdh4.2.0 by Apache Hive
> beeline> !connect
> jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC
> scan complete in 3ms
> Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC
> Enter username for
> jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC:
> Enter password for
> jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC:
> Connected to: Hive (version 0.10.0)
> Driver: Hive (version 0.10.0-cdh4.2.0)
> Transaction isolation: TRANSACTION_REPEATABLE_READ
> 0: jdbc:hive2://c62-n3.intuit.test:10000/> show tables;
> -----------
> tab_name
> -----------
> t1
> t2
> test
> -----------
> 3 rows selected (1.553 seconds)
> 0: jdbc:hive2://c62-n3.intuit.test:10000/>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
